[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Shadow Passwords



In article <199602011844.TAA07677@i17linuxb.ists.pwr.wroc.pl>,
Marek Michalkiewicz  <marekm@i17linuxb.ists.pwr.wroc.pl> wrote:
[discussion about shadow passwords deleted]
>I think it would be nice to have a separate small shared library containing
>only crypt() - this way it will be easier to change in the future without
>need to rebuild the whole libc which is quite big already.  Unfortunately,
>this requires that all programs using crypt() are linked against the new
>library.

I don't know about PAM, it's been mentioned before and probably the ideal
solution. However, the way SunOS does it is also nice:

- The password file contains ##loginname in the password field.
- The shadow file holds the real encrypted password.

Now, usually crypt is called by a user program like this:

  struct passwd *pwd;
  char *pass, *crypted;

  pwd = getpwnam("luser");
  pass = getpass("Password: ");

  crypted = crypt(pass, pwd->pw_passwd);

  if (strcmp(pwd->pw_passwd, crypted) != 0) {
	printf("Login incorrect\n");
	exit(1);
  }

Crypt can be intelligent. If it sees that the "salt" passed to it is really
in the form ##loginname, it has a loginname/password combination. It can
then authenticate the user any way you want.

It could just call getspnam() and do shadow authentication. On success,
it would return ##loginname again, so that the strcmp() succeeds.

This would only take 2 changes:
- change the shadow utils to generate ##loginname in the plain password file
- change crypt in the shared library

The only problem I see is with NIS and NIS password files; they don't
have ##username in the password field. I think this can be solved by
checking if the encrypted password in the password field is valid. If
not (check for 13 characters in a valid range, see sulogin.c of sysvinit),
the library functions (getpw*) should replace it with ##username.

So the other change in the shared library would be:
- change the getpw* functions

and all programs are automatically shadow compatible.

PS. In SunOS, this modified crypt() calls a daemon to do the authentication.
It would be nice if we could have this functionality too. Crypt should
try to connect to some TCP or UDP port for authentication before trying
it locally. That way, I could share the password file from our Solaris box
(it also has shadow, but Linux doesn't support safe shadow over NIS yet)
for the userid's and do the real authentication with RADIUS.

Mike.
--
+ Miquel van Smoorenburg   + Cistron Internet Services +  Living is a     |
| miquels@cistron.nl (SP5) | Independent Dutch ISP     |   horizontal     |
+ miquels@drinkel.ow.org   + http://www.cistron.nl/    +      fall        +


Reply to: